On Sun, 29 Jun 2025 17:29:25 +0100, Colin Paice <[email protected]> wrote:
>I'm struggling to understand the set up for userid and console permissions, EMCS is a programming interface (MCSOPER) and USERID is not part of this interface. USERID (an ACEE) is associated to a set of tasks in the address space. Many times 1 user per address space but there are exceptions (e.g. CICS). Since you mention a standard TSO address space, you have 1 userid but remember that same userid may be active in other address spaces (e.g. batch). >It feels like an EMCS is just an existing TSO userid. EMCS is not related to any userid (including TSO). EMCS can be in use in any address space (e.g. TSO, CICS, IMS, batch, UNIX, STC and ...). > As I read the documentation the console name is not important >https://10.1.1.2:10443/zosmf/restconsoles/consoles/*EMCS003*, >or the TSO command CONSOLE NAME(*EMCS003*). Console names are important and should always be unique otherwise bad things could happen. Too many to list here. 1. I doubt the same console name can be in use by 2 programs at the same time. Userid does not play a role in uniqueness. 2. Your automation product uses multiple EMCS unique console names. I believe TSO CONSOLE generates unique names for the user. Specifying a name should be a last resort when conflicts cannot be avoided. > The doc says an EMCS userid needs to have an OPERPARM segment. I can't remember for sure but I think it's ignored if class OPERCMDS is not active. BEWARE, activating OPERCMDS could adversely affect other important products (e.g. automation). You will need to verify every product using EMCS is working correctly under RACF control. I did a quick search on racf setup opercmds and found https://www.ibm.com/docs/en/zos/2.1.0?topic=resources-administering-use-operator-commands that lists the generic steps. Realize that each product using EMCS will most likely have a section that describes their requirements. >My userid needs read access to the profile MVS.MCSOPER.EMCS003. If RACF class OPERCMDS is active, then you need to grant access to the consoles that user will use and this may include ranges of consoles. Your userid is valid in TSO, batch, CICS and more. A generic profile MVS.MCSOPER.** is not acceptable because it allows other users to potentially use a console name that you use. USERID is associated to tasks within address spaces. Programs using EMCS will always run in a TCB and if a userid is needed, then it comes from the appropriate ACEE (user). Think CICS where it has an ACEE representing the userid for the address space and ACEE's representing each CICS user. SDSF, TSO CONOLE, TSO OPER, Netview and many others have implemented EMCS. Things probably changed since I last implemented EMCS. At that time, we could bypass or implement RACF. Look at the relevant product documentation. E.g. ISFPARM should document the SDSF definition which in the past used to allow ignoring RACF by defining users authority in ISFPARM. You mentioned the user's OPERPARM RACF segment was typically for TSO OPER. >I could create a console-name COLIN1, and give only userid COLIN access to it. This is the correct technique otherwise you risk someone using a name they should. This name is only useful when you control who has access. (e.g. syslog shows console name and you want to rely upon the command coming from colin). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
